My next class:

Getting Ready for Badlock

Published: 2016-03-23. Last Updated: 2016-03-23 14:59:50 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

It got a catchy name, it got a logo... so it must be serious. Or at least that is what is implied with the "Badlock" vulnerability that was pre-announced this week.

At this point, there is only a vague pre-announcement. The details, and a patch, will be released on April 12th, Microsoft's next patch Tuesday. S

The vulnerability will affect systems running SAMBA (an open source implementation of the SMB protocol, commonly found on Unix systems) as well as Windows systems . The second group is probably easier to identify, and given that we should have a patch from Microsoft on April 12th, your normal patch procedures should have you covered.

The Unix part can be a bit more tricky. To get ready for April 12th, it may be worth-while to scan your environment for systems with SMB enabled. This will get you a head start once the patch is released. Due to the high-profile pre-announcement, I expect major Unix versions to release a patch on April 12th as well.

OS X started using its own implementation of the SMB protocol, sometimes referred to asm SMBX, With OS X 10.7 (Lion). You are probably not going to find a lot of pre-10.7 systems still around, and if you do, you probably wont get a patch from Apple. SMBX is not listed in the Badlock pre-announcement. We can assume at this point that it is not vulnerable.

A possible twist to this would be vulnerable clients. It is possible to trick a client to connect to an SMB share using the "smb:" protocol. Outbound traffic from clients is often less strictly controlled then inbound.

Short summary: What should you do before April 12th

  • inventory SMB servers
  • verify firewall rules to block SMB inbound AND outbound
  • order some donuts/pizza for the patch team for April 12th. It could be a busy day. 

Side note: Stefan Metzmacher, who is credited with discovering the vulnerability, is the author of the file "lock.c" in Samba. This file appears to deal with SMB2 lock requests. It is pretty short, but includes an "interesting" comment: "/* this is quite bizarre - the spec says we must lie about the length! */".

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)
My next class:

Comments

Are there any ports other than 445 that need to be scrutinized in relation to BADLOCK? I realize you may not have the details yet, either.
Why is nothing published on TechNet / Microsoft
[quote=comment#36747]Are there any ports other than 445 that need to be scrutinized in relation to BADLOCK?[/quote]
Port 139, if you have good ol’ NetBIOS over TCP/IP enabled. If that’s the case, you should use this opportunity to get rid of it, regardless of BADLOCK.
Im using nmap script "--script smb-os-discovery " to scan for all SMB in my env.
I went ahead and included 137-139 as well as 445 in a scan using Angry IP Scanner.

Diary Archives